After trying multiple options in the smb.conf file the only way I could get fail over to work was having two ldap servers setup in a multimaster replication and having a DNS entry setup that round robins between the two. Everything seems to work, I can bring down one ldap server and samba will still authenticate and let users in. Anybody know of any issues doing it this way? Thanks, Gary> If I have read the documentation correctly, it looks like you can not > have a fail over LDAP server defined in the smb.conf file for the passdb > backend. It looks like this feature was taken away in an earlier > release. Is this correct? If not could somebody steer me in the right > direction. >
Hi Gary, Gary Peck wrote:> After trying multiple options in the smb.conf file the only way I could > get fail over to work was having two ldap servers setup in a multimaster > replication and having a DNS entry setup that round robins between the > two. Everything seems to work, I can bring down one ldap server and > samba will still authenticate and let users in. Anybody know of any > issues doing it this way? > > Thanks, > > Gary > > >If I have read the documentation correctly, it looks like you can not > >have a fail over LDAP server defined in the smb.conf file for the passdb > >backend. It looks like this feature was taken away in an earlier > >release. Is this correct? If not could somebody steer me in the right > >direction.Is the question how to specify multiple ldap servers in smb.conf? If so, here is the answer: passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com" I.e. put a spaces separated list of ldap urls into quotes. If that was not your question, please clarify. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20100325/044371a7/attachment.pgp>
Gary Peck wrote:> I have actually tired that and could not get that to work. At least it > does not work on the version of samba that is bundled with Solaris 10 > (3.0.37). > > passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com" > --- This causes a core dumpoh, i mis-spelled ldap: instead of ldapsam:> passdb backend = ldapsam:"ldap://ldap1.example.com > ldap://ldap2.example.com" smbpasswd username fails connecting to primary > ldap server and just errors out.Hmm, what ldap library are you using? reading from the smb.conf manpage:>>>>> - ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to >>>>> ldap://localhost) >>>>> >>>>> LDAP connections should be secured where possible. This may be done using either Start-TLS (see >>>>> ldap ssl) or by specifying ldaps:// in the URL argument. >>>>> >>>>> Multiple servers may also be specified in double-quotes. Whether multiple servers are supported >>>>> or not and the exact syntax depends on the LDAP library you use. >>>>> >>>>> Examples of use are: >>>>> >>>>> passdb backend = tdbsam:/etc/samba/private/passdb.tdb >>>>> >>>>> or multi server LDAP URL with OpenLDAP library: >>>>> >>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" >>>>> >>>>> or multi server LDAP URL with Netscape based LDAP library: >>>>> >>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"So it depends on your LDAP client library and the example I gave you is valid for openLDAP, possibly not for yours, if it supports multiple servers at all. You could try the second syntax ldapsam:"ldap://ldap-1.example.com ldap-2.example.com". The bottom line is that the string between the quotes has to be a valid string accepted by the ldap init routine of your library... Cheers - Michael> It seems to be the 3.0.22 release that I remember seeing a not that ldap > failover was deprecated for some reason. The only way I have been able > to get any type of failover is setting up a DNS entry to round robin > between two Sun DS7 multimaster directory servers. > > Thanks, > > Gary > > On 3/25/2010 3:16 PM, Michael Adam wrote: > >Hi Gary, > > > >Gary Peck wrote: > > > >>After trying multiple options in the smb.conf file the only way I could > >>get fail over to work was having two ldap servers setup in a multimaster > >>replication and having a DNS entry setup that round robins between the > >>two. Everything seems to work, I can bring down one ldap server and > >>samba will still authenticate and let users in. Anybody know of any > >>issues doing it this way? > >> > >>Thanks, > >> > >>Gary > >> > >> > >>>If I have read the documentation correctly, it looks like you can not > >>>have a fail over LDAP server defined in the smb.conf file for the passdb > >>>backend. It looks like this feature was taken away in an earlier > >>>release. Is this correct? If not could somebody steer me in the right > >>>direction. > >>> > >Is the question how to specify multiple ldap servers in smb.conf? > >If so, here is the answer: > > > > passdb backend = ldap:"ldap://ldap1.example.com > > ldap://ldap2.example.com" > > > >I.e. put a spaces separated list of ldap urls into quotes. > > > >If that was not your question, please clarify. > > > >Cheers - Michael > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20100326/abd070f7/attachment.pgp>
Gary Peck wrote:> Hi Michael, > > This option seemed to work: > > passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com" > > > I swear I had tried that before, but I must not have. Thanks for your > help. I am that much closer to having 2000 Faculty/Staff users start using > the system.Ok, good to know things are working again! Please try to keep the list posted. Cheers - Michael> Thanks, > > Gary > > > > > > On 3/26/2010 6:15 AM, Michael Adam wrote: > >Gary Peck wrote: > > > >>I have actually tired that and could not get that to work. At least it > >>does not work on the version of samba that is bundled with Solaris 10 > >>(3.0.37). > >> > >>passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com" > >>--- This causes a core dump > >> > >oh, i mis-spelled ldap: instead of ldapsam: > > > > > >>passdb backend = ldapsam:"ldap://ldap1.example.com > >>ldap://ldap2.example.com" smbpasswd username fails connecting to primary > >>ldap server and just errors out. > >> > >Hmm, what ldap library are you using? reading from the smb.conf > >manpage: > > > > > >>>>>> - ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an > >>>>>> optional argument (defaults to > >>>>>> ldap://localhost) > >>>>>> > >>>>>> LDAP connections should be secured where possible. This may be > >>>>>> done using either Start-TLS (see > >>>>>> ldap ssl) or by specifying ldaps:// in the URL argument. > >>>>>> > >>>>>> Multiple servers may also be specified in double-quotes. Whether > >>>>>> multiple servers are supported > >>>>>> or not and the exact syntax depends on the LDAP library you use. > >>>>>> > >>>>>> Examples of use are: > >>>>>> > >>>>>> passdb backend = tdbsam:/etc/samba/private/passdb.tdb > >>>>>> > >>>>>> or multi server LDAP URL with OpenLDAP library: > >>>>>> > >>>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com > >>>>>> ldap://ldap-2.example.com" > >>>>>> > >>>>>> or multi server LDAP URL with Netscape based LDAP library: > >>>>>> > >>>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com > >>>>>> ldap-2.example.com" > >>>>>> > >So it depends on your LDAP client library and the example I gave you is > >valid > >for openLDAP, possibly not for yours, if it supports multiple servers at > >all. > >You could try the second syntax ldapsam:"ldap://ldap-1.example.com > >ldap-2.example.com". > > > >The bottom line is that the string between the quotes has to be a valid > >string > >accepted by the ldap init routine of your library... > > > >Cheers - Michael > > > > > >>It seems to be the 3.0.22 release that I remember seeing a not that ldap > >>failover was deprecated for some reason. The only way I have been able > >>to get any type of failover is setting up a DNS entry to round robin > >>between two Sun DS7 multimaster directory servers. > >> > >>Thanks, > >> > >>Gary > >> > >>On 3/25/2010 3:16 PM, Michael Adam wrote: > >> > >>>Hi Gary, > >>> > >>>Gary Peck wrote: > >>> > >>> > >>>>After trying multiple options in the smb.conf file the only way I could > >>>>get fail over to work was having two ldap servers setup in a multimaster > >>>>replication and having a DNS entry setup that round robins between the > >>>>two. Everything seems to work, I can bring down one ldap server and > >>>>samba will still authenticate and let users in. Anybody know of any > >>>>issues doing it this way? > >>>> > >>>>Thanks, > >>>> > >>>>Gary > >>>> > >>>> > >>>> > >>>>>If I have read the documentation correctly, it looks like you can not > >>>>>have a fail over LDAP server defined in the smb.conf file for the > >>>>>passdb > >>>>>backend. It looks like this feature was taken away in an earlier > >>>>>release. Is this correct? If not could somebody steer me in the right > >>>>>direction. > >>>>> > >>>>> > >>>Is the question how to specify multiple ldap servers in smb.conf? > >>>If so, here is the answer: > >>> > >>> passdb backend = ldap:"ldap://ldap1.example.com > >>> ldap://ldap2.example.com" > >>> > >>>I.e. put a spaces separated list of ldap urls into quotes. > >>> > >>>If that was not your question, please clarify. > >>> > >>>Cheers - Michael > >>> > >>> > >> > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20100326/b2637fa8/attachment.pgp>